Appendix 1
Lancashire Combined Fire Authority
Internal Audit Service
Annual report of the Head of Internal Audit for the year ended 31 March 2023
1 Introduction
Purpose of this report
1.1 This report summarises the work that the Internal Audit Service undertook during 2022/23 and the key themes arising in relation to risk management, governance and internal control.
The role of internal audit
1.2 The Internal Audit Service is an assurance function designed to evaluate and improve the effectiveness of risk management, control and governance processes. Public Sector Internal Audit Standards (PSIAS) require the head of internal audit to provide an opinion on the frameworks of governance, risk management and control of Lancashire Combined Fire Authority and a written report to those charged with governance, timed to support the annual governance statement.
1.3 This report is based upon the work the Internal Audit Service performed during 2022/23 and 2023/24 in relation to the 2022/23 audit plan, approved by the Audit Committee in March 2022.
1.4 The scope of our work, management and audit’s responsibilities, the basis of my assessment, and access to this report are set out in Annex 1 to this report. The levels of assurance the Internal Audit Service provides are set out in Annex 2.
1.5 An Internal Audit Service Charter is in place that establishes the framework within which Lancashire County Council's Internal Audit Service operates to best serve the Combined Fire Authority and to meet its professional obligations under applicable professional standards.
Acknowledgements
1.6 I am grateful for the assistance that has been provided to the Internal Audit Service by the staff of Lancashire Fire and Rescue Service in the course of our work during the year.
Andrew Dalecki
Head of Internal Audit, Lancashire County Council
June 2023
2 Overall opinion on governance, risk management and internal control
Overall opinion
2.1 Overall, I can provide substantial assurance regarding the adequacy of design and effectiveness in operation of the organisation's frameworks of governance, risk management and control. No significant areas of weakness in overall governance, risk management or control have been identified from our audit work
2.2 Although we acknowledge that the introduction of Fusion has caused some practical issues within the Lancashire Fire and Rescue Service (LFRS), we are satisfied that additional controls have been introduced to mitigate any risks.
2.3 In forming my opinion, I have considered the work undertaken by the Internal Audit Service throughout the year as well as information available from less formal sources than planned audit engagements.
Wider sources of assurance available to the Combined Fire Authority
2.4 Assurance is provided by Grant Thornton as the Authority's external auditor. Grant Thornton issued an unqualified opinion on the 2021/22 financial statements on 30 November 2022. They also confirmed their opinion that there were no significant weaknesses in the arrangements for financial sustainability, governance and economy, efficiency and effectiveness in the use of resources.
2.5 His Majesty's Inspector of Fire and Rescue Services and Constabulary undertook their latest inspection in between November 2021 and January 2022. This assessment graded LRFS as 'Good' in the three principal areas assessed, these are: effectiveness, efficiency, and how well the Service looks after its people.
2.6 Assurance over the operation of the Pension Fund has been obtained from work conducted directly by Lancashire County Council's Internal Audit Service, work undertaken by the Local Pensions Partnership (Administration) Ltd, (LPPA) Internal Audit, and by KPMG for the Local Pension Partnership (Investments) Ltd (LPPI).
3 Internal audit work undertaken
3.1 The table below reports the status of each audit completed during the year and the assurance opinion. This shows that all the budgeted days (70) have been spent in delivering the audit plan. All 2022/23 work has been completed.
Audit days
|
Status |
Assurance Opinion |
|||
Planned |
Actual |
Variation |
|||
Governance and business effectiveness |
|||||
Overall governance, risk management and control arrangements |
3 |
3 |
0 |
Completed |
|
Service delivery and support |
|||||
Recruitment-Positive Action |
12 |
11 |
1 |
Completed January 2023 |
˜ Substantial |
Carbon Management Arrangements |
12 |
12 |
0 |
Completed April 2023 |
˜ Substantial |
Business processes |
|||||
Accounts payable |
8 |
5 |
3 |
Completed March 2023 |
˜ Substantial |
Accounts receivable |
5 |
3 |
2 |
Completed March 2023 |
˜ Substantial |
General ledger |
5 |
3 |
2 |
Completed March 2023 |
˜ Substantial |
HR/ Payroll |
9 |
8 |
1 |
Completed November 2022 |
˜ Substantial |
Pensions administration |
1 |
1 |
0 |
See 2.6 |
|
Treasury management |
4 |
5 |
-1 |
Completed October 2022 |
˜ Substantial |
Follow up audit activity |
|||||
Training, Learning and Development |
1 |
5 |
-4 |
Completed February 2022 |
Six actions have been implemented and one superseded. |
Management of On Call provision |
1 |
4 |
--3 |
Completed June 2023 |
Two actions have been implemented and two are progressing |
Other components of the audit plan |
|||||
Management activity |
8 |
9 |
-1 |
N/A |
|
National Fraud Initiative |
1 |
1 |
0 |
||
Total |
70 |
70 |
0 |
|
Follow up work
3.2 Under the Public Sector Internal Audit Standards, management has responsibility for ensuring that agreed actions in audit reports are implemented. Internal Audit should obtain assurances that actions have been implemented as agreed or that senior management has accepted the risk of not taking action
3.3 Our follow up audit work has involved obtaining explanations and evidence where appropriate that actions have been implemented. We have not re-performed any testing on controls which were found to be adequately designed and operating effectively at the time of our original review, and neither have we re-assessed the overall control environment.
3.4 As detailed in the above table good progress has been made in the implementation of actions. Of the 11 agreed actions, 8 (72%) have been implemented, with 2 (18%) progressing and 1(10%) superseded.
4 Extracts from Audit Reports
4.1 Extracts of assurance summaries are shown in Appendix A for the audits finalised since the March 2023 Audit Committee.
5 Fraud/ special investigations
5.1 In October 2022, a bank mandate fraud occurred with a value of £1,465.45. However, we are satisfied that additional controls have been put in place to mitigate the risk of this happening again. We verified that these were operating effectively as part of the 2022/23 Payroll Audit.
National Fraud Initiative (NFI)
5.2 The NFI is a statutory data matching process for health, local government and other public sector providers managed by the Cabinet Office. It flags inconsistencies in data within payroll, pensions, creditors and procurement which may indicate fraud or highlight emerging fraud risks.
5.3 Following the submission of data in October and November 2022, the resulting matches were released by the Cabinet Office in January and February 2023. The table below details the total number of matches identified. Limited action has been taken on processing the matches due to the timing of the release and LFRS operational pressures such as Fusion. Action will progress later in the year.
Category of data |
Number of matches identified |
|
2022/23 |
2021/22 |
|
Pensions |
25 |
16 |
Payroll |
24 |
15 |
Creditors |
213 |
269 |
Procurement |
0 |
0 |
Total |
262 |
300 |
6 Implications for the Annual Governance Statement
6.1 In making its annual governance statement the Combined Fire Authority should consider this report in relation to internal control, risk management and corporate governance.
6.2 We do not consider there are any matters arising from the audit work conducted during 2022/23 that require specific identification in the annual governance statement.
7 Internal audit quality assurance and improvement
Client satisfaction
7.1 Internal Audit invites feedback on the quality of service provided by issuing a ‘satisfaction questionnaire’ at the end of each audit. This is an important process in terms of identifying how the audit was received and it is also an important means of identifying aspects of the audit process that can be improved.
7.2 Our auditees have told us in every case that, overall, they were satisfied with the way we conducted our work with them. We also seek more detailed feedback in relation to our audit planning, the audit process and reporting, our behaviour, and our management and service to our auditees. Our auditees have provided positive feedback across all these areas. There were no common themes in the responses received that highlighted any particular areas for improvement.
Ongoing and periodic assessments
7.3 In accordance with the Public Sector Internal Audit Standards (PSIAS) the Council’s Internal Audit function is required to have an external quality assessment (EQA) undertaken at least once every 5 years as part of its Quality Assurance Framework.
7.4 To ensure compliance with this requirement the Chartered Institute of Internal Auditors (CIIA) completed an external quality assessment of Internal Audit in February 2023.” The assessment included a full validation of the Internal Audit Service’s own self-assessment against the PSIAS and the International Professional Practices Framework (IPPF). Interviews with key stakeholders across the Council were held along with discussions with Internal Audit Service team members and a stakeholder survey was issued to managers.
7.5 The Internal Audit Service conforms to 56 of the 64 relevant principles, with partial conformance on four principles. Four of the remaining principles were not relevant to Lancashire County Council's Internal Audit Service. This has resulted in an overall opinion that the Internal Audit team “generally conforms” to the IIA Standards. This is the same overall rating that the service achieved at the last assessment completed in November 2017 and is the highest of the three global grading definitions used in an EQA.
7.6 Our performance was measured in the below five key areas:
· IIA Standards
· Focus on performance, risk and adding value
· Coordination and maximising assurance
· Operating with efficiency
· Quality Assurance and Improvement Programme.
Since our last assessment we have improved in one of these areas (operating with efficiency) moving from satisfactory to good. We have retained the same rating in the other four areas. The report has identified areas for improvement and the aim of the service is to achieve a good standard for all five areas.
7.7 The Chartered Institute of Internal Auditors (CIIA) have reported in their EQA annual performance report that on average the number of recommendations they make in an EQA to help improve an internal audit function is 14. Following our assessment, the CIIA have made five recommendations. The Internal Audit Service is working towards addressing these.
7.8 The Internal Audit Service has designed procedures and an audit methodology that conform to PSIAS and are regularly reviewed. Every auditor in the team is required to comply with these or document the reasons why not, and to demonstrate this compliance on every audit assignment. The audit managers assess the quality of each audit concurrently as it progresses, and a post-audit file review process has been undertaken. These reviews indicate that there is good evidence of compliance with our audit methodology and input from the audit managers to support the work of the auditors.
7.9 In addition to these periodic file reviews, the service's methodology includes a step which requires the Head of Internal Audit to read each report as it is finalised. This does not entail an additional detailed review and the auditors' reports remain theirs, using their own style and wording, but is intended to ensure that each assignment can be adequately understood and is properly communicated.
7.10 The Internal Audit Service has a hybrid approach to work, with staff predominantly being home-based but undertaking client site visits as the requirements of the audit has dictated. There are performance management and support arrangements in place to support this including the agreement of delivery timescales with clients and identifying the audits that will aim to be completed for each meeting of the Committee.
.
Appendix A
Carbon Management
Overall assurance rating |
Audit findings requiring action |
||||
˜ |
Extreme |
High |
Medium |
Low |
|
Substantial |
0 |
0 |
0 |
0 |
|
See Appendix A for Rating Definitions |
|||||
The revised Carbon Management Plan (CMP) was populated in April 2020 and presented to the Resources Committee in September 2020. The plan shows a clear commitment to embedding reductions in environmental impact into Lancashire Fire Rescue Service (LFRS) core business and recognises the reality of climate change and the importance of cutting carbon emissions. A Climate Change Operational Response Plan (CCORP) which is based on LFRS high level ambitions for the period 2022-27 was presented and agreed by both the Executive Board and Lancashire Combined Fire Authority (LCFA) in November 2021 and by the Prevention, Protection, Response and Strategy Group (PPRSG) in December 2021. A Carbon Management Team (CMT) is led by the Head of Safety, Health and Environment, who is responsible for evolving and implementing the CMP and for achieving the carbon management targets. LFRS are currently focussing on the four key areas identified within the Carbon Management and Climate Change plans, which are: to reduce carbon emissions from use in buildings and transport and to reduce the impact and consequences of climate change in terms of both prevalence and duration of large-scale flooding and wildfire events in the county. LRFS have reduced carbon emissions as well as making reductions in electricity gas, fuel and water use. LFRS has established strong partnership working arrangements in order to prevent large-scale flooding and wildfires. It is acknowledged that not all aspirational targets have been met for various reasons and action has been taken to address this. Where possible LFRS implement change and consider carbon management and climate change and have taken several steps to change the culture within the organisation. They have ISO14001 accreditation which maps out a framework that an organisation can follow to set up an effective environmental management system. Reporting on Climate Change takes place through a six weekly CCORP checkpoint meeting. A checkpoint report is completed by the reference holder every quarter which then provides PPRSG with an update in relation to progress made against LFRS aspirations. Additionally, each individual reference holder also updates the Action Management System (AMS) with new actions and progress of these actions. Progress on the Carbon Management Plan is detailed in the LFRS Annual Safety, Health, Environment Report. This was last reported to the June 2022 LCFA meeting for the period1 April 2021 to 31 March 2022. |
On Call Provision- Follow up
|
|
Status of agreed actions |
||||
|
Extreme |
High |
Medium |
Low |
|
|
˜ Moderate See Appendix A for Rating Definitions
|
Number of actions |
|
1 |
3 |
|
|
Implemented |
|
|
2 |
|
|
|
Progressing |
|
1 |
1 |
|
|
|
A follow-up audit has been conducted to determine the progress made by Lancashire Fire and Rescue Service to implement the actions agreed in the Internal Audit report; Management of On-Call Provision, issued in April 2022. Our original review provided moderate assurance over the adequacy and effectiveness of the Management of On-Call Provision arrangements that are in place in ensuring that stations have sufficient or inappropriate On Call cover to provide the required operational response to any incident. Three medium and one low risk actions were agreed to be implemented by July to September 2022, although this was later extended to March 2023. Based on the information and evidence provided to us, we are satisfied that adequate progress has been made in implementing the agreed actions. A new Service Policy 'Management of Working Hours' has been drafted and a monitoring report has been developed to monitor the monthly average working hours of staff. The Policy and monitoring report are programmed to go live 01 July 23. Additionally, a new voluntary opt out form has been developed to ensure all staff that work over an average of 48 hours per week have signed an opt out form by 31 August 23. LFRS includes the On-Call management update and performance figures within the monthly area management meetings, from which any actions are followed up regularly. Additionally, LFRS has introduced a contractual performance report for each station which shows the total of hours over a period of time and what their weekly hours are and an area report which provides an on-call overview including contributing factors of low availability, unit positives and actions proposed. A new exit interview form has been devised, however the implementation of this is still being developed. |
Annex 1: Scope, responsibilities and assurance
Approach
1 The Internal Audit Service operates in accordance with Public Sector Internal Audit Standards, 2017. The scope of internal audit encompasses all of the governance, risk management and control processes of the Combined Fire Authority including where they are provided by other organisations on their behalf.
Responsibilities of management and internal auditors
2 It is management’s responsibility to maintain systems of risk management, internal control and governance. Internal audit is an element of the internal control framework assisting management in the effective discharge of its responsibilities and functions by examining and evaluating controls.
3 Lancashire Combined Fire Authority has taken the decision to outsource their internal audit provision, and Lancashire County Council's Internal Audit Service was the appointed service provider for 2022/23.
4 It is the role of the Internal Audit Service to provide independent assurance that these risk management, control and governance processes are adequately designed and effectively operated. The PSIAS makes clear that the provision of this assurance is internal audit's primary role and that this requires the head of internal audit to provide an annual opinion based on an objective assessment of the framework of governance, risk management and control.
5 This assessment will be supported by the identification, analysis, evaluation and documentation of sufficient information on each individual audit assignment, and the completion of sufficient assignments to support an overall opinion for the organisation as a whole.
6 Internal auditors cannot be held responsible for internal control failures. However, we have planned our work so that we have a reasonable expectation of detecting significant control weaknesses. We have reported all such weaknesses to you as they have become known to us, without undue delay, and have worked with you to develop proposals for remedial action.
7 The requirement to be independent and objective means that the Internal Audit Service cannot assume management responsibility for risk management, control or governance processes. However, the Internal Audit Service may support management by providing consultancy services. These are advisory in nature and are generally performed at the specific request of the organisation, with the aim of improving governance, risk management and control and will also contribute to the overall assurance opinion.
8 Accountability for responses to the Internal Audit Service’s advice and recommendations for action lies with the Senior Management Team, which either accepts and implements the advice or accepts the risks associated with not taking action. Audit advice, including where the Internal Audit Service has been consulted about significant changes to internal control systems, is given without prejudice to the right of the Internal Audit Service to review and recommend further action on the relevant policies, procedures, controls and operations at a later date.
9 The head of internal audit will provide an annual report incorporating an overall opinion, a summary of the work that supports that opinion, and a statement of conformity with the PSIAS and the results of the quality assurance and improvement programme.
10 The Internal Audit Service is not responsible for the prevention or detection of fraud and corruption. Managing the risk of fraud and corruption is the responsibility of management. Internal auditors will, however, be alert in all their work to risks and exposures that could allow fraud or corruption and to any indications that fraud and corruption may have occurred. Internal audit procedures alone, even when performed with due professional care, cannot guarantee that fraud or corruption will be detected.
Basis of our assessment
11 Our opinion on the adequacy of control arrangements is based upon the result of internal audit reviews undertaken and completed during the period in accordance with the plan approved by the Audit Committee. We have obtained sufficient, reliable and relevant evidence to support the improvements that we proposed and that have been accepted by management.
Limitations to the scope of our work
12 There have been no limitations to the scope of our audit work.
Limitations on the assurance that internal audit can provide
13 There are inherent limitations as to what can be achieved by internal control and consequently limitations to the conclusions that can be drawn from our work as internal auditors. These limitations include the possibility of faulty judgement in decision making, of breakdowns because of human error, of control activities being circumvented by the collusion of two or more people and of management overriding controls. Also, there is no certainty that internal controls will continue to operate effectively in future periods or that the controls will be adequate to mitigate all significant risks which may arise in future.
14 Decisions made in designing internal controls inevitably involve the acceptance of some degree of risk. As the outcome of the operation of internal controls cannot be predicted with absolute assurance any assessment of internal control is judgmental.
Access to this report and responsibility to third parties
15 This report has been prepared solely for the Combined Fire Authority. This report forms part of a continuing dialogue between the Internal Audit Service, senior officers within Lancashire Fire and Rescue Service and the Audit Committee. It is not therefore intended to include every matter that came to our attention during each internal audit review.
16 We acknowledge that this report may be made available to other parties, such as the external auditors. We accept no responsibility to any third party who may receive this report for any reliance that they may place on it and, in particular, we expect the external auditors to determine for themselves the extent to which they choose to utilise our work.
Annex 2: Audit assurance levels and classification of agreed actions
Note that our assurance may address the adequacy of the control framework's design, the effectiveness of the controls in operation, or both. The wording below addresses all of these options and we will refer in our reports to the assurance applicable to the scope of the work we have undertaken.
˜ Substantial assurance: the framework of control is adequately designed and/ or effectively operated overall.
˜ Moderate assurance: the framework of control is adequately designed and/ or effectively operated overall, but some action is required to enhance aspects of it and/ or ensure that it is effectively operated throughout.
˜ Limited assurance: there are some significant weaknesses in the design and/ or operation of the framework of control that put the achievement of its objectives at risk.
˜ No assurance: there are some fundamental weaknesses in the design and/ or operation of the framework of control that could result in failure to achieve its objectives.
Classification of residual risks requiring management action
All actions agreed with management are stated in terms of the residual risk they are designed to mitigate.
|
Extreme residual risk: critical and urgent in that failure to address the risk could lead to one or more of the following: catastrophic loss of the LRFS services, loss of life, significant environmental damage or significant financial loss, with related national press coverage and substantial damage to the LRFS reputation. Remedial action must be taken immediately.
|
High residual risk: critical in that failure to address the issue or progress the work would lead to one or more of the following: failure to achieve organisational objectives, significant disruption to the LRFS business or to users of its services, significant financial loss, inefficient use of resources, failure to comply with law or regulations, or damage to the LRFS reputation. Remedial action must be taken urgently.
|
Medium residual risk: failure to address the issue or progress the work could impact on operational objectives and should be of concern to senior management. Prompt specific action should be taken.
|
Low residual risk: matters that individually have no major impact on achieving the service's objectives, but when combined with others could give cause for concern. Specific remedial action is desirable.